2. IAIK
Background
A-SIT: Security consulting for public insititutions
IAIK: IT security research
Combination: Awesome :-)
Thomas Zefferer Sandra Kreuzhuber Peter Teufl
A-SIT
3. IAIK
Mobile Device Security
Sensitive data
Location, documents, credentials etc.
Problems
Threats: theft, malicious software etc.
Heterogeneous platforms
iOS, Android, Windows Phone,
Windows Store, Blackberry, ...
Complexity: securing the systems
developing secure applications
5. IAIK
Internal Use - MDM
Security policy modeled via MDM system
Mobile device locked down according to
policy/requirements
PLUS
Most secure deployment scenario
MINUS
Not possibile for citizen applications
Internal use: pressure by BYOD concept
6. IAIK
Internal Use - BYOD
Device belongs to the user
No MDM deployment
Deployment of BYOD solutions on the user’s device
(container applications, application wrapping)
PLUS
User has full control over the device
MINUS
Security!
Legal and technical issues
7. IAIK
Citizen - MGov Applications
Applications developed for the citizen
Probably handling of critical data (personal data, etc.)
Similar considerations as for BYOD (however even fewer restrictions)
Considerations are also valid for non M-Gov apps
Banking apps, password safes, theft protection apps etc.
9. IAIK
Platform Security Features
Data Protection
Access protection
Encryption
Secure storage of credentials
MDM
Malware Resistance
Application APIs, sources
Permission system
Rooting, jailbreaking?
OS security
Updates, fragmentation
Security Analysis?
10. IAIK
Access protection, encryption, secure storage of credentials
How does the encryption system work?
Is encryption based on a hardware element?
Is the user’s PIN involved in the key derivation function?
What is the scope of the encryption system?
What does the developer need to know?
How are backups encrypted?
Access Protection
12. IAIK
Mobile Device Management
Mobile Device Management (MDM)
Which rules?
How is the system integrated
into the mobile device OS?
Fragmentation?
13. IAIK
Applications
Application sources? Defined markets? Alternative sources (email, etc.)?
Application APIs?
Security, system integration etc.
Security: What does the developer
need to know?
Permission System?
Usability, which permissions?
14. IAIK
Core Security
OS security
low level malware protection (buffer overflows, sandboxes, operating
sytem architecture, programming languages)
Updates, fragmentation
Updates?
Fragmentation of OS versions?
Fragmentations of functionality (due to extensions of the OS)?
15. IAIK
Platform Security - Managed
Managed devices
Which criteria?
MDM, MAM: functionality!
Applications (when not restricted)
Data Protection (mainly encryption)
MDM
Security Config
MAM App App
App App
Smartphone
16. IAIK
BYOD
Challenging in terms of security
(and also legal considerations)!
Device is not managed!
Activation of OS security features depends on the user
Solutions:
Container applications
Application wrappers
OS integrated solutions (Blackberry Balance)
17. IAIK
MDM, BYOD
MDM
Security Config
MAM App App
App App
Smartphone
Container App
Management
Security Config
Contai
ner
App
App App
Smartphone
Application
Wrapper
Management
Security Config
Smartphone
App
App App
App
MDM
Security Config
MAM
Business Area
App App
Security Config
Private Area
Smartphone
App App
MDM
Container
App
App Wrappers Blackberry
Balance
18. IAIK
BYOD
Container Applications
Provide mail, contacts
browser, calendar
secure file storage in a specific application
Application cannot assume a secure
environment:
Needs to implement its own security features
encryption, secure communication, root/jailbreak checks
highly platform specific
(need to know the security features, APIs etc.)
19. IAIK
Example
Container applications (also valid for mGov applications with sensitive data)
Key Derivation (from password to encryption key)
is a key requirement for secure encryption systems
Key derivation principles
Salt (no pre-calculated password tables
Long derivation time (e.g. 80ms per passcode, on iOS)
Need to have cryptographic knowhow to get it right
Mistakes: simple brute-force attacks...
Data encryption
key
Passcode
Key
derivation
Derived key
Salt
21. IAIK
Citizen Application
Citizen applications for handling criticial data
(similar to banking apps, password safes)
same considerations as for container applications
arbitrary environment (even less restricted as in BYOD), devices, versions
threat of malware (arbitrary application sources, malware)
22. IAIK
Best Practice Managed
iOS:
encryption, MDM, application security/features
Android:
highly depends on the platform!
Stock Android: Lacking important MDM features!
Windows Phone/Windows Store:
Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS
Blackberry: Balance Framework! Good architecture.
23. IAIK
Best Practice BYOD
Blackberry:
Balance framework: Huge plus (integrated BYOD solution)
iOS, Windows Phone/Store:
Huge advantages over Android
Android:
Alternative sources, deeply integrated system APIs, malware situation
24. IAIK
Best Practice Citizen App
No platform choice, market and users decide
Developing apps which handle sensitive data
Know the platforms, their security features, weaknesses
Development by a security aware team: cryptography, IT security,
detailed knowledge about the platforms
Keep data on the device limited
iOS, Windows Phone, Blackberry easier to handle. Android ???